Description
Trilogy is a client library for MySQL. When authenticating, a malicious server could return a specially crafted authentication packet, causing the client to read and return up to 12 bytes of data from an uninitialized variable in stack memory. Users of the trilogy gem should upgrade to version 2.1.1 This issue can be avoided by only connecting to trusted servers.
References (2)
Core 2
Core References
Third Party Advisory x_refsource_confirm
https://github.com/github/trilogy/security/advisories/GHSA-5g4r-2qhx-vqfm
Patch, Third Party Advisory x_refsource_misc
https://github.com/github/trilogy/commit/6bed62789eaf119902b0fe247d2a91d56c31a962
Scores
CVSS v3
5.9
EPSS
0.0030
EPSS Percentile
53.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-908
Status
published
Products (2)
rubygems/trilogy
0 - 2.1.1RubyGems
trilogy_project/trilogy
< 2.1.1
Published
Jun 09, 2022
Tracked Since
Feb 18, 2026